Subscribe for updates

Are You Letting SIEM do its Job?

Most of us already think SIEM seems like a good investment. Collecting and analysing logs from every device on the network should result in better awareness and, most importantly, a more secure infrastructure.

But information alone isn’t power. Awareness isn’t insight. And with thousands, hundreds of thousands, and even millions of alerts every single day, few people are taking full advantage of SIEM. They make a sound investment – but fail to draw out its real value.

In my experience, getting value from SIEM is easier than it sounds. There’s no need to slowly plod through millions of alerts. Instead, ask yourself just three simple questions;

What, Why, and Who

What information has value?

Don’t just collect a mass of data and analyse it randomly. Instead, begin with a clear idea of what it would be useful to know.

Let’s take a common example – a firewall. All too often, there’s a tendency to treat deny logs (the things the firewall blocked) as highly important. But why? These are the times when the firewall did its job.

Instead, when looking at firewall data, we need to know what has entered or exited the network. So, before we start looking at data, we know the most valuable information is what was allowed in and out.

Why does this information matter?

When you’ve decided what information you’re interested in, take a step back and ask yourself why. What is it about these events that are useful? What do they imply, and what insight can they provide into your infrastructure?

Because if you don’t know why you need the data, chances are you don’t need it at all.

Let’s go back to our firewall example. Information about what was allowed in and out provides insight because it shows potential weaknesses. If traffic we’d rather block is coming in or heading out, we can respond accordingly.

Equally, there may be traffic that fits a normal profile, like web packets. But this permitted traffic could be connecting to a server known to carry malware, or using your resources as part of a distributed denial of service (DDoS) botnet. So, as well as identifying weaknesses in our firewall configuration, we also want to collect allowed connections because they may correlate with known threats.

Often, the why is naturally linked to the what. But take time to articulate it anyway. When you know what the point of looking at the SIEM data is, you’ll be ready to spot patterns and potential concerns.

Who is involved in this event?

We already know what subset of data we’re going to look at, and why it makes sense to do so. But here’s the hard part – we need to consider who is involved in the transfer of data.

This is where traditional SIEM tends to fall down, and more recent solutions can take advantage of their integrated nature.

Consider my fictional firewall for one last time. We’ve pulled masses of information on what traffic is being permitted into and out of the network – so we’ve taken a targeted approach that’ll save us time and effort.

But we still need to identify which traffic is legitimate, and which poses a threat.

BlackStratus solutions that include SIEM have access to wider threat intelligence that correlates your data against known malware, exploits, and compromised external hosts. They provide a single tool that can give you the who you need to know, so you don’t just obtain information – you get useful, practical, and actionable insight into it.

The Latest from Alpha Gen:

We live in an imperfect world. It’s a place where cyber criminals target unsuspecting businesses to steal data, disrupt services and even extort money. A place where your technology is always under attack and risk is ever-present. Why, then, would anyone expect cyber security to be perfect? Read more...

Recent Articles:

The fundamentals of successful least privilege adoption

Avoid the common pitfalls that get in the way of Least Privilege Adoption with Thycotic’s latest eBook. You’ll get a complete guide to what constitutes best practice and where even the best-intentioned programmes fall apart. Now is the time to make your least privilege implementation a success.

Alpha Generation Distribution Grows Its Vendor Portfolio with Lepide

Alpha Generation Distribution Announces New Partnership with CoSoSys

In a climate of rising compliance and hard-to-manage endpoints, Alpha Generation partners with CoSoSys to bring robust endpoint protection to the UK market.. An established leader in the space, CoSoSys provides Endpoint Protector [...]